[wp-trac] [WordPress Trac] #16778: wordpress is leaking user/blog information during wp_version_check()
WordPress Trac
noreply at wordpress.org
Thu Dec 8 09:08:58 UTC 2016
#16778: wordpress is leaking user/blog information during wp_version_check()
----------------------------+-----------------------
Reporter: investici | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone:
Component: Administration | Version:
Severity: minor | Resolution:
Keywords: has-patch | Focuses:
----------------------------+-----------------------
Comment (by MattyRob):
Replying to [comment:69 Otto42]:
> Like so:
>
> {{{
> add_action( 'wp_version_check', 'falsify_user_blog_count', 1 );
> function falsify_user_blog_count() {
> add_filter( 'pre_site_option_blog_count', '__return_zero' );
> add_filter( 'pre_site_option_user_count', '__return_zero' );
> }
> }}}
>
> Essentially this preempts the data sent back, making it send zeros for
that data instead. By hooking to wp_version_check action with a priority
of 1, your actions connect before the data is retrieved in the
wp_version_check function, and won't be connected the rest of the time
(like when you're looking at the network dashboard). Since the
wp_version_check action is fired via wp-cron, it's not fired in the main
web process at all, and thus can't affect anything else.
Interesting piece of code - however I cannot find anywhere in the
WordPress core files where `do_action( 'wp_version_check' );` gets called.
Can you confirm where and when that hook gets fired?
I can see in wp-includes/update.php where the wp_version_check() is added
to the action, but if that action never gets called how is it going to
work?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/16778#comment:75>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list